CN104660563A - Method, equipment and system for processing active detection response - Google Patents

Method, equipment and system for processing active detection response Download PDF

Info

Publication number
CN104660563A
CN104660563A CN201310595077.3A CN201310595077A CN104660563A CN 104660563 A CN104660563 A CN 104660563A CN 201310595077 A CN201310595077 A CN 201310595077A CN 104660563 A CN104660563 A CN 104660563A
Authority
CN
China
Prior art keywords
active probe
probe response
logic
response
negative logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310595077.3A
Other languages
Chinese (zh)
Other versions
CN104660563B (en
Inventor
何申
程叶霞
杨光华
刘钢庭
蔡伟文
李启文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201310595077.3A priority Critical patent/CN104660563B/en
Publication of CN104660563A publication Critical patent/CN104660563A/en
Application granted granted Critical
Publication of CN104660563B publication Critical patent/CN104660563B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes

Abstract

The invention discloses a method, equipment and a system for processing an active detection response. The method comprises the following steps: current equipment receives an active detection request from remote equipment, obtains an IP (internet protocol) address of the remote equipment and obtains the positive logic active detection response corresponding to the active detection request; the current equipment judges whether the IP address is within an IP address credible region range or not; if the IP address is within the IP address credible region range, the current equipment sends the positive logic active detection response to the remote equipment; if the IP address is not within the IP address credible region range, the current equipment performs negative logic treatment on the positive logic active detection response, obtains a negative logic active detection response and sends the negative logic active detection response to the remote equipment. According to the embodiment of the invention, an attacker can be prevented from mining key network data from the active detection response, so that an attack behavior cannot be made, the network security is improved, and insecurity, information leakage and the like caused by positive logic are avoided.

Description

The processing method that a kind of active probe responds, equipment and system
Technical field
The present invention relates to the communication technology and security technology area, especially relate to the processing method of a kind of active probe response, equipment and system.
Background technology
Along with developing rapidly of computer and network technologies, network size constantly expands, and bandwidth constantly increases, and Network kind is more and more diversified, and the various equipment in network become varied.If assailant will launch a offensive, then assailant needs acquisition and the collection of in advance target of attack being carried out to information, first step of namely attacking is acquisition and the collection of information, thus the information such as the system information of various equipment in master goal network, network configuration, the service that provides, think that the expansion of follow-on attack is prepared.In order to obtain the information such as the system information of various equipment in network, network configuration, the service that provides, current attack person generally adopts the mode of active probe, and carries out analysis by the information responded active probe and obtain.
Active probe refers to that remote equipment sends active probe request on network, the process that local device responds containing the active probe of result of detection information for active probe request feedback packet.Such as, the ICMP(Internet Control Message Protocol sent, Internet Control Message Protocol) ask or UDP(UserDatagram Protocol, User Datagram Protocol) to ask to belong to active probe request, ICMP response or the UDP response of transmission belong to active probe response.Based on active probe response, then assailant can obtain the information such as the system information of local device, network configuration, the service that provides easily.
In prior art, active probe response all adopts forward logical course to feed back, namely the results expression fed back be direct legitimate reading, assailant can obtain the active probe response of forward logic by active probe process, and then excavates a lot of crucial network data by active probe response.
Therefore, in prior art, there is the problem such as insecurity, information leakage in the feedback of active probe response, is very easy to the enforcement of the follow-up attack of assailant, there is serious potential safety hazard.
Summary of the invention
Processing method, equipment and system that the embodiment of the present invention provides a kind of active probe to respond, to avoid assailant to excavate crucial network data from active probe response, improve internet security.
In order to achieve the above object, the processing method that the embodiment of the present invention provides a kind of active probe to respond, the method comprises the following steps: local device is after receiving the active probe request from remote equipment, obtain the IP address of described remote equipment, and obtain the active probe response of forward logic corresponding to described active probe request; Described local device judges whether described IP address is positioned at IP address inter-trust domain scope; If so, the response of the active probe of described forward logic is sent to remote equipment by described local device; If not, negative logic process is carried out in the active probe response of described local device to described forward logic, obtains the active probe response of negative logic, the response of the active probe of described negative logic is sent to remote equipment.
Negative logic process is carried out in the active probe response of described local device to forward logic, obtains the active probe response of negative logic, specifically comprises: respond as S in the active probe of forward logic i, and S iduring ∈ S, negative logic process is carried out in the active probe response of described local device to forward logic, and the active probe response of the negative logic obtained is specially in S except S ioutside random free position; S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
The treatment facility that the embodiment of the present invention provides a kind of active probe to respond, this equipment specifically comprises: acquisition module, for after receiving the active probe request from remote equipment, obtain the IP address of remote equipment, and obtain the active probe response of forward logic corresponding to active probe request; Judge module, for judging whether IP address is positioned at IP address inter-trust domain scope; Processing module, during for being no when judged result, carrying out negative logic process to the active probe response of forward logic, obtaining the active probe response of negative logic; Sending module, during for being no when judged result, sends to remote equipment by the response of the active probe of negative logic; When judged result is for being, the response of the active probe of forward logic is sent to remote equipment.
Described processing module is S specifically for the active probe response in described forward logic i, and S iduring ∈ S, carry out negative logic process to the active probe response of described forward logic, the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
The processing method that the embodiment of the present invention provides a kind of active probe to respond, the method comprises the following steps:
Local device is after receiving the active probe request from remote equipment, obtain the IP address of described remote equipment, and obtain the active probe response of forward logic corresponding to described active probe request, and the active probe response of described IP address and described forward logic is sent to credible determination module;
Described credible determination module judges whether described IP address is positioned at IP address inter-trust domain scope; If so, the active probe response of the believable information in described IP address and described forward logic is sent to described local device by described credible determination module, by described local device, the response of the active probe of described forward logic is sent to described remote equipment; If not, the active probe response of the incredible information in described IP address and described forward logic is sent to negative logic system NLS processing module by described credible determination module;
Negative logic process is carried out in the active probe response of described NLS processing module to described forward logic, obtain the active probe response of negative logic, and the response of the active probe of described negative logic is sent to described local device, by described local device, the active probe of described negative logic is responded described in transmission to remote equipment.
Negative logic process is carried out in the active probe response of described NLS processing module to forward logic, obtains the active probe response of negative logic, comprising: respond as S in the active probe of forward logic i, and S iduring ∈ S, negative logic process is carried out in the active probe response of NLS processing module to forward logic, and the active probe response of the negative logic obtained is specially in S except S ioutside random free position; S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
Negative logic process is carried out in the active probe response of described NLS processing module to described forward logic, obtain the active probe response of negative logic, comprise: NLS processing module determines the active probe response being input as forward logic of this NLS processing module, after negative logic process is carried out to the active probe response of forward logic, the output obtained is other active probe response outside the active probe response of forward logic, and other active probe outside the response of the active probe of forward logic responds as the active probe of negative logic responds.
The treatment system that the embodiment of the present invention provides a kind of active probe to respond, this system specifically comprises:
Local device, for after receiving the active probe request from remote equipment, obtain the IP address of described remote equipment, and obtain the active probe response of forward logic corresponding to described active probe request, and the active probe response of described IP address and described forward logic is sent to credible determination module;
Credible determination module, for judging whether described IP address is positioned at IP address inter-trust domain scope; If so, then the active probe response of the believable information in described IP address and described forward logic is sent to described local device, by described local device, the response of the active probe of described forward logic is sent to described remote equipment; If not, then the active probe response of the incredible information in described IP address and described forward logic is sent to negative logic system NLS processing module;
NLS processing module, for carrying out negative logic process to the active probe response of described forward logic, obtain the active probe response of negative logic, and the response of the active probe of described negative logic is sent to described local device, by described local device, the active probe of described negative logic is responded described in transmission to remote equipment.
Described NLS processing module is S specifically for the active probe response in forward logic i, and S iduring ∈ S, carry out negative logic process to the active probe response of described forward logic, the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
Described NLS processing module, specifically for determining the active probe response being input as described forward logic of this NLS processing module, after negative logic process is carried out to the active probe response of described forward logic, the output obtained is other active probe response outside the active probe response of described forward logic, and other active probe outside the response of the active probe of described forward logic responds as the active probe of negative logic responds.
Compared with prior art, the embodiment of the present invention at least has the following advantages: in the embodiment of the present invention, by carrying out negative logic process to the active probe response of forward logic, obtain the active probe response of negative logic, and the response of the active probe of negative logic is sent to remote equipment, thus avoid assailant to excavate crucial network data from active probe response, and then cannot offensive attack behavior, improve internet security, avoid insecurity, information leakage etc. that forward logic is brought, then avoid potential safety hazard.Aforesaid way has important using value to network security and information security field, can contain and prevent the generation of attack; Safety for the such as new technology such as Internet of Things, car networking is promoted and the safety applications of new business corresponding under new technology, all has very important practical application and market popularization value and meaning.
Accompanying drawing explanation
In order to be illustrated more clearly in technical scheme of the present invention, below the accompanying drawing used required in describing embodiment is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the process flow figure of a kind of active probe response that the embodiment of the present invention one provides;
Fig. 2 is the process flow figure of a kind of active probe response that the embodiment of the present invention two provides;
Fig. 3 is the schematic diagram in the embodiment of the present invention, active probe response being carried out to negative logic process;
Fig. 4 is the treatment facility structural representation of a kind of active probe response that the embodiment of the present invention three provides;
Fig. 5 is the treatment system structural representation of a kind of active probe response that the embodiment of the present invention four provides.
Embodiment
Below in conjunction with the accompanying drawing in the present invention, be clearly and completely described the technical scheme in the present invention, obviously, described embodiment is only a part of embodiment of the present invention, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
Embodiment one
The processing method that the embodiment of the present invention one provides a kind of active probe to respond, by the state that responds active probe according to negative logical thinking NLS(negative logic system) carry out the method for negative logic expression, thus make assailant cannot get the information of effectively attacking and utilizing from the response of obtained active probe, as shown in Figure 1, the processing method of this active probe response at least comprises the following steps:
Step 101, local device, after receiving the active probe request from remote equipment, obtains the IP address of remote equipment, and obtains the active probe response of forward logic corresponding to active probe request.
Wherein, the IP address of this remote equipment can obtain from active probe request, this active probe request is Msg_Request, the active probe response of this forward logic is Msg_Respond_PLS, and the active probe response of the active probe of this forward logic response for obtaining based on existing mode.
Step 102, local device judges whether this IP address (i.e. the IP address of remote equipment) is positioned at IP address inter-trust domain scope; If so, then step 103 is performed; If not, then step 104 is performed.
Wherein, the IP address within the scope of this IP address inter-trust domain is legal IP address.
Step 103, the response of the active probe of forward logic is sent to remote equipment by local device.
Step 104, negative logic process is carried out in the active probe response of local device to forward logic, obtains the active probe response of negative logic, and the response of the active probe of negative logic is sent to remote equipment.
In the embodiment of the present invention, suppose that the true responsive state one that active probe responds has n, be denoted as S 1, S 2, S 3..., S n, make S={S 1, S 2, S 3..., S n, then for any one responsive state S i∈ S, wherein i ∈ 1,2,3 ..., n}, the logical value that the negative logic thinking NLS of active probe response is corresponding is in S, except S ioutside a random arbitrary state, that is: NLS ( S i ) = def { S j | S j ∈ S , S j ≠ S i , j ∈ { 1,2,3 , . . . , n } } .
Based on this, negative logic process is carried out in the active probe response of local device to forward logic, obtains the active probe response of negative logic, specifically comprises: respond as S in the active probe of forward logic i, and S iduring ∈ S, negative logic process is carried out in the active probe response of local device to forward logic, and the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
In sum, by the technical scheme adopting the embodiment of the present invention to propose, by carrying out negative logic process to the active probe response of forward logic, obtain the active probe response of negative logic, and the response of the active probe of negative logic is sent to remote equipment, thus avoid assailant to excavate crucial network data from active probe response, and then cannot offensive attack behavior, improve internet security, avoid insecurity, information leakage etc. that forward logic is brought, then avoid potential safety hazard.Further, aforesaid way has important using value to network security and information security field, can contain and prevent the generation of attack; Safety for the such as new technology such as Internet of Things, car networking is promoted and the safety applications of new business corresponding under new technology, all has very important practical application and market popularization value and meaning.
Embodiment two
The processing method that the embodiment of the present invention two provides a kind of active probe to respond, by the state that responds active probe according to negative logical thinking NLS(negative logic system) carry out the method for negative logic expression, thus make assailant cannot get the information of effectively attacking and utilizing from the response of obtained active probe, as shown in Figure 2, the processing method of this active probe response at least comprises the following steps:
Step 201, local device is after receiving the active probe request from remote equipment, obtain the IP address of remote equipment, and obtain the active probe response of forward logic corresponding to active probe request, and credible determination module is exported in the active probe response of this IP address and this forward logic.
Wherein, the IP address of this remote equipment can obtain from active probe request, this active probe request is Msg_Request, the active probe response of this forward logic is Msg_Respond_PLS, and the active probe response of the active probe of this forward logic response for obtaining based on existing mode.
Step 202, credible determination module judges whether this IP address (i.e. the IP address of remote equipment) is positioned at IP address inter-trust domain scope; If so, then step 203 is performed; If not, then step 205 is performed.
Wherein, the IP address within the scope of this IP address inter-trust domain is legal IP address.
Step 203, the active probe response of this believable information in IP address and forward logic is sent to local device by credible determination module.Wherein, credible determination module is after the active probe response receiving IP address and forward logic, if know that this IP address is positioned at IP address inter-trust domain scope, then determine that this IP address is credible, and the active probe response of this believable information in IP address (as represented that IP address is credible by credible result of determination YES) and forward logic is sent to local device.
Step 204, the response of the active probe of forward logic is sent to remote equipment by local device.
Step 205, the active probe response of this incredible information in IP address and forward logic is sent to NLS processing module by credible determination module.Wherein, credible determination module is after the active probe response receiving IP address and forward logic, if know that this IP address is not positioned at IP address inter-trust domain scope, then determine that this IP address is insincere, and the active probe response of this incredible information in IP address (as represented that IP address is insincere by credible result of determination NO) and forward logic is sent to NLS processing module.
Step 206, negative logic process is carried out in the active probe response of NLS processing module to forward logic, obtains the active probe response of negative logic, and the response of the active probe of negative logic is sent to local device.
Wherein, the response of the active probe of this negative logic is specially Msg_Respond_NLS, and the response of the active probe of this negative logic is specially and finally needs to send to the active probe of remote equipment to respond.
In the embodiment of the present invention, suppose that the true responsive state one that active probe responds has n, be denoted as S 1, S 2, S 3..., S n, make S={S 1, S 2, S 3..., S n, then for any one responsive state S i∈ S, wherein i ∈ 1,2,3 ..., n}, the logical value that the negative logic thinking NLS of active probe response is corresponding is in S, except S ioutside a random arbitrary state, that is: NLS ( S i ) = def { S j | S j ∈ S , S j ≠ S i , j ∈ { 1,2,3 , . . . , n } } .
Based on this, negative logic process is carried out in the active probe response of NLS processing module to forward logic, obtains the active probe response of negative logic, comprising: respond as S in the active probe of forward logic i, and S iduring ∈ S, negative logic process is carried out in the active probe response of NLS processing module to forward logic, and the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; S={S 1, S 2, S 3..., S n, and S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
Further, in a kind of specific implementation of the embodiment of the present invention, negative logic process is carried out in the active probe response of NLS processing module to forward logic, to obtain the process of the active probe response of negative logic, specifically include but not limited to: NLS processing module determines the active probe response being input as forward logic of this NLS processing module, after negative logic process is carried out to the active probe response of forward logic, the output obtained is other active probe response outside the active probe response of forward logic, and other active probe outside the response of the active probe of forward logic responds as the active probe of negative logic responds.
Step 207, the response of the active probe of negative logic is sent to remote equipment by local device.
In sum, by the technical scheme adopting the embodiment of the present invention to propose, by carrying out negative logic process to the active probe response of forward logic, obtain the active probe response of negative logic, and the response of the active probe of negative logic is sent to remote equipment, thus avoid assailant to excavate crucial network data from active probe response, and then cannot offensive attack behavior, improve internet security, avoid insecurity, information leakage etc. that forward logic is brought, then avoid potential safety hazard.Further, aforesaid way has important using value to network security and information security field, can contain and prevent the generation of attack; Safety for the such as new technology such as Internet of Things, car networking is promoted and the safety applications of new business corresponding under new technology, all has very important practical application and market popularization value and meaning.
Below in conjunction with schematic diagram active probe response being carried out to negative logic process as shown in Figure 3, the process (i.e. step 104 or step 206) of negative logic process is further detailed.
Entry 101 represents input item, has input value, as S i, the value of entry 101 outputs to entry 102.Entry 102 represents NLS processing center, includes but not limited to: NLS treatment mechanism and system select with transform, screen, operation method employing etc., the result of entry 102 outputs to entry 103, entry 104, entry 105, entry 106, one in entry 107.Entry 103, entry 104, entry 105, entry 106, entry 107 all represents output item, each time entry 103, entry 104, entry 105, entry 106, all has an entry as when time actual output item, can receive the Output rusults from entry 102 in entry 107, which entry concrete is determined by the Output rusults of entry 102, and such as output valve is S 2.By said method, then can obtain, under negative logic system NLS, this time S icorresponding logic value is S 2.
In embody rule scene, with FTP(File Transfer Protocol, file transfer protocol (FTP)) use of ordering is described for example.Wherein, the response code that FTP is corresponding adopts three bit digital to represent, each response code represents different response message.FTP is altogether to there being 39 kinds of response codes, and concrete response code numbering is respectively: 110,120,125,150,200,202,211,212,213,214,215,220,221,225,226,227,230,250,257,331,332,350,421,425,426,450,451,452,500,501,502,503,504,530,532,550,551,552,553.
User A in application scenarios 1, inter-trust domain carries out FTP access to certain main frame, and the IP address of user A is IP1, and the IP address of main frame is IP_HOST.After user A sends FTP request to this main frame, first this main frame obtains this FTP and asks, IP1 is extracted from this FTP asks, obtain the active probe response of forward logic simultaneously, suppose that the active probe response code of forward logic is that 452(represents that disk storage space is not enough), then IP1 and probe response code 452 are sent to credible determination module by this main frame.Because IP1 is within inter-trust domain, therefore credible result of determination is YES, and result of determination YES and probe response code 452 are sent to this main frame by credible determination module, and probe response code 452 is returned to user A by this main frame.After user A receives probe response code 452, know that the disk storage space of current main frame is not enough.
User B in application scenarios 2, untrusted territory carries out FTP access to certain main frame, and the IP address of user B is IP2, and the IP address of main frame is IP_HOST.After user B sends FTP request to this main frame, first this main frame obtains this FTP and asks, IP2 is extracted from this FTP asks, obtain the active probe response of forward logic simultaneously, suppose that the active probe response code of forward logic is that 452(represents that disk storage space is not enough), then IP2 and probe response code 452 are sent to credible determination module by this main frame.Because IP2 is not within inter-trust domain, therefore credible result of determination is NO, and result of determination NO and probe response code 452 are sent to negative logic system NLS by credible determination module.Negative logic system NLS carries out negative logic process to probe response code 452, the result obtained after NLS process is any one the probe response code in 39 kinds of probe response codes except probe response code 452, is assumed to be probe response code 532(and represents that storage file needs account).Afterwards, probe response code 532 is sent to this main frame by negative logic system NLS, and probe response code 532 is returned to user B by this main frame.After user B receives probe response code 532, think that storage file needs account, and do not know that the disk storage space of current main frame is not enough, thus reduce or prevent user in insincere territory to the acquisition of main frame real information.
Embodiment three
Based on the inventive concept same with said method, additionally provide the treatment facility of a kind of active probe response in the embodiment of the present invention, as shown in Figure 4, this equipment comprises:
Acquisition module 11, for after receiving the active probe request from remote equipment, obtains the IP address of described remote equipment, and obtains the active probe response of forward logic corresponding to described active probe request;
Judge module 12, for judging whether described IP address is positioned at IP address inter-trust domain scope;
Processing module 13, during for being no when judged result, carrying out negative logic process to the active probe response of described forward logic, obtaining the active probe response of negative logic;
Sending module 14, during for being no when judged result, sends to described remote equipment by the response of the active probe of described negative logic; When judged result is for being, the response of the active probe of described forward logic is sent to described remote equipment.
Described processing module 13 is S specifically for the active probe response in described forward logic i, and S iduring ∈ S, carry out negative logic process to the active probe response of described forward logic, the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
Wherein, the modules of apparatus of the present invention can be integrated in one, and also can be separated deployment.Above-mentioned module can merge into a module, also can split into multiple submodule further.
Embodiment four
Based on the inventive concept same with said method, the treatment system of a kind of active probe response is additionally provided in the embodiment of the present invention, this system specifically comprises: local device, for after receiving the active probe request from remote equipment, obtain the IP address of described remote equipment, and obtain the active probe response of forward logic corresponding to described active probe request, and the active probe response of described IP address and described forward logic is sent to credible determination module; Credible determination module, for judging whether described IP address is positioned at IP address inter-trust domain scope; If so, then the active probe response of the believable information in described IP address and described forward logic is sent to described local device, by described local device, the response of the active probe of described forward logic is sent to described remote equipment; If not, then the active probe response of the incredible information in described IP address and described forward logic is sent to negative logic system NLS processing module; NLS processing module, for carrying out negative logic process to the active probe response of described forward logic, obtain the active probe response of negative logic, and the response of the active probe of described negative logic is sent to described local device, by described local device, the active probe of described negative logic is responded described in transmission to remote equipment.
Described NLS processing module is S specifically for the active probe response in forward logic i, and S iduring ∈ S, carry out negative logic process to the active probe response of described forward logic, the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
Described NLS processing module, specifically for determining the active probe response being input as described forward logic of this NLS processing module, after negative logic process is carried out to the active probe response of described forward logic, the output obtained is other active probe response outside the active probe response of described forward logic, and other active probe outside the response of the active probe of described forward logic responds as the active probe of negative logic responds.
Below in conjunction with Fig. 5, the treatment system that active probe responds is further detailed.
As shown in Figure 5, assembly 201, assembly 202, assembly 203 all represent the input item of active probe responding system, and namely assembly 201, assembly 202, assembly 203 are active probe request, have input value, as I 1, I 2... I n, the value of assembly 201, assembly 202, assembly 203 is output to local device 211.
The active probe of forward logic for the output of receiving unit 201, assembly 202, assembly 203, and is responded FR by local device 211 1, FR 2..., FR nand the IP address ip 1 of correspondence, IP2 ..., IPn etc. outputs in credible determination module 221, credible determination module 222, credible determination module 223.
Credible determination module 221, credible determination module 222, credible determination module 223 are for carrying out credible judgement to the IP address of extracting, IP address is judged whether as believable IP address according to the scope of inter-trust domain, if IP address is credible, then credible result of determination is YES; If IP address is insincere, then credible result of determination is NO.Afterwards, credible result of determination is exported simultaneously according to the difference of credible result of determination, outputted in different modules.Wherein, when credible result of determination is YES, by the active probe of forward logic response FR 1, FR 2..., FR noutput in assembly 241, assembly 242, assembly 243.When credible result of determination is NO, by the active probe of forward logic response FR 1, FR 2..., FR noutput in NLS processing module 231, NLS processing module 232, NLS processing module 233.
Active probe response FR corresponding when NLS processing module 231, NLS processing module 232, NLS processing module 233 are for being NO to credible result of determination 1, FR 2..., FR ncarry out negative logic process, thus obtain the active probe response of negative logic, and the response of the active probe of negative logic is exported.Therefore, NLS processing module 231, NLS processing module 232, NLS processing module 233 receive the output of credible determination module, namely receive the active probe response FR of forward logic 1, FR 2..., FR n, and the response of the active probe of negative logic is outputted in assembly 241, assembly 242, assembly 243.
Assembly 241, assembly 242, assembly 243 all represent output item, namely export the probe response result received.By the impact of credible result of determination, its Data Source received is different according to the difference of credible result of determination.When credible result of determination is YES, assembly 241, assembly 242, assembly 243 receive the Output rusults from credible determination module 221, credible determination module 222, credible determination module 223 respectively, i.e. the active probe response FR of forward logic 1, FR 2..., FR nas output valve R 1, R 2..., R n.When credible result of determination is NO, assembly 241, assembly 242, assembly 243 receive the Output rusults from NLS processing module 231, NLS processing module 232, NLS processing module 233 respectively, and the final active probe response results namely after negative logic process is as output valve R 1, R 2..., R n.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required general hardware platform by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform method described in each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device in embodiment can carry out being distributed in the device of embodiment according to embodiment description, also can carry out respective change and be arranged in the one or more devices being different from the present embodiment.The module of above-described embodiment can merge into a module, also can split into multiple submodule further.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
Be only several specific embodiment of the present invention above, but the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.

Claims (10)

1. a processing method for active probe response, it is characterized in that, the method comprises the following steps:
Local device, after receiving the active probe request from remote equipment, obtains the IP address of described remote equipment, and obtains the active probe response of forward logic corresponding to described active probe request;
Described local device judges whether described IP address is positioned at IP address inter-trust domain scope;
If so, the response of the active probe of described forward logic is sent to remote equipment by described local device;
If not, negative logic process is carried out in the active probe response of described local device to described forward logic, obtains the active probe response of negative logic, the response of the active probe of described negative logic is sent to remote equipment.
2. the method for claim 1, is characterized in that, negative logic process is carried out in the active probe response of described local device to described forward logic, obtains the active probe response of negative logic, specifically comprises:
Respond as S in the active probe of described forward logic i, and S iduring ∈ S, negative logic process is carried out in the active probe response of described local device to described forward logic, and the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
3. a treatment facility for active probe response, it is characterized in that, this equipment specifically comprises:
Acquisition module, for after receiving the active probe request from remote equipment, obtains the IP address of described remote equipment, and obtains the active probe response of forward logic corresponding to described active probe request;
Judge module, for judging whether described IP address is positioned at IP address inter-trust domain scope;
Processing module, during for being no when judged result, carrying out negative logic process to the active probe response of described forward logic, obtaining the active probe response of negative logic;
Sending module, during for being no when judged result, sends to described remote equipment by the response of the active probe of described negative logic; When judged result is for being, the response of the active probe of described forward logic is sent to described remote equipment.
4. equipment as claimed in claim 3, is characterized in that,
Described processing module is S specifically for the active probe response in described forward logic i, and S iduring ∈ S, carry out negative logic process to the active probe response of described forward logic, the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
5. a processing method for active probe response, it is characterized in that, the method comprises the following steps:
Local device is after receiving the active probe request from remote equipment, obtain the IP address of described remote equipment, and obtain the active probe response of forward logic corresponding to described active probe request, and the active probe response of described IP address and described forward logic is sent to credible determination module;
Described credible determination module judges whether described IP address is positioned at IP address inter-trust domain scope; If so, the active probe response of the believable information in described IP address and described forward logic is sent to described local device by described credible determination module, by described local device, the response of the active probe of described forward logic is sent to described remote equipment; If not, the active probe response of the incredible information in described IP address and described forward logic is sent to negative logic system NLS processing module by described credible determination module;
Negative logic process is carried out in the active probe response of described NLS processing module to described forward logic, obtain the active probe response of negative logic, and the response of the active probe of described negative logic is sent to described local device, by described local device, the active probe of described negative logic is responded described in transmission to remote equipment.
6. method as claimed in claim 5, is characterized in that, negative logic process is carried out in the active probe response of described NLS processing module to described forward logic, obtains the active probe response of negative logic, comprising:
Respond as S in the active probe of described forward logic i, and S iduring ∈ S, negative logic process is carried out in the active probe response of described NLS processing module to described forward logic, and the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
7. method as claimed in claim 5, is characterized in that, negative logic process is carried out in the active probe response of described NLS processing module to described forward logic, obtains the active probe response of negative logic, comprising:
Described NLS processing module determines the active probe response being input as described forward logic of this NLS processing module, after negative logic process is carried out to the active probe response of described forward logic, the output obtained is other active probe response outside the active probe response of described forward logic, and other active probe outside the response of the active probe of described forward logic responds as the active probe of negative logic responds.
8. a treatment system for active probe response, it is characterized in that, this system specifically comprises:
Local device, for after receiving the active probe request from remote equipment, obtain the IP address of described remote equipment, and obtain the active probe response of forward logic corresponding to described active probe request, and the active probe response of described IP address and described forward logic is sent to credible determination module;
Credible determination module, for judging whether described IP address is positioned at IP address inter-trust domain scope; If so, then the active probe response of the believable information in described IP address and described forward logic is sent to described local device, by described local device, the response of the active probe of described forward logic is sent to described remote equipment; If not, then the active probe response of the incredible information in described IP address and described forward logic is sent to negative logic system NLS processing module;
NLS processing module, for carrying out negative logic process to the active probe response of described forward logic, obtain the active probe response of negative logic, and the response of the active probe of described negative logic is sent to described local device, by described local device, the active probe of described negative logic is responded described in transmission to remote equipment.
9. system as claimed in claim 8, is characterized in that,
Described NLS processing module is S specifically for the active probe response in forward logic i, and S iduring ∈ S, carry out negative logic process to the active probe response of described forward logic, the active probe response of the negative logic obtained is specially: except S in S ioutside random free position; Wherein, S={S 1, S 2, S 3..., S n, and described S is the real responsive state of active probe response correspondence, and i ∈ 1,2,3 ..., n}.
10. system as claimed in claim 8, is characterized in that,
Described NLS processing module, specifically for determining the active probe response being input as described forward logic of this NLS processing module, after negative logic process is carried out to the active probe response of described forward logic, the output obtained is other active probe response outside the active probe response of described forward logic, and other active probe outside the response of the active probe of described forward logic responds as the active probe of negative logic responds.
CN201310595077.3A 2013-11-21 2013-11-21 A kind of processing method, equipment and the system of active probe response Active CN104660563B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310595077.3A CN104660563B (en) 2013-11-21 2013-11-21 A kind of processing method, equipment and the system of active probe response

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310595077.3A CN104660563B (en) 2013-11-21 2013-11-21 A kind of processing method, equipment and the system of active probe response

Publications (2)

Publication Number Publication Date
CN104660563A true CN104660563A (en) 2015-05-27
CN104660563B CN104660563B (en) 2018-05-04

Family

ID=53251268

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310595077.3A Active CN104660563B (en) 2013-11-21 2013-11-21 A kind of processing method, equipment and the system of active probe response

Country Status (1)

Country Link
CN (1) CN104660563B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN108200567A (en) * 2018-01-18 2018-06-22 浙江大华技术股份有限公司 A kind of method for discovering equipment and equipment
CN110519121A (en) * 2019-08-09 2019-11-29 网宿科技股份有限公司 A kind of method and device of subregion task detection

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101296182A (en) * 2008-05-20 2008-10-29 华为技术有限公司 Data transmission control method and data transmission control device
CN101582833A (en) * 2008-05-15 2009-11-18 成都市华为赛门铁克科技有限公司 Method and device for processing spoofed IP data packet
CN101635713A (en) * 2009-06-09 2010-01-27 北京安天电子设备有限公司 Method and system for preventing local area network ARP defection attacks
US20110302628A1 (en) * 2010-06-04 2011-12-08 Lockheed Martin Corporation Method and apparatus for preventing and analyzing network intrusion
CN102970306A (en) * 2012-12-18 2013-03-13 中国科学院计算机网络信息中心 Intrusion detection system under Internet protocol version 6 (IPv6) network environment
CN103152335A (en) * 2013-02-20 2013-06-12 神州数码网络(北京)有限公司 Method and device for preventing ARP (address resolution protocol) deceit on network equipment
CN103312689A (en) * 2013-04-08 2013-09-18 西安电子科技大学 Network hiding method for computer and network hiding system based on method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582833A (en) * 2008-05-15 2009-11-18 成都市华为赛门铁克科技有限公司 Method and device for processing spoofed IP data packet
CN101296182A (en) * 2008-05-20 2008-10-29 华为技术有限公司 Data transmission control method and data transmission control device
CN101635713A (en) * 2009-06-09 2010-01-27 北京安天电子设备有限公司 Method and system for preventing local area network ARP defection attacks
US20110302628A1 (en) * 2010-06-04 2011-12-08 Lockheed Martin Corporation Method and apparatus for preventing and analyzing network intrusion
CN102970306A (en) * 2012-12-18 2013-03-13 中国科学院计算机网络信息中心 Intrusion detection system under Internet protocol version 6 (IPv6) network environment
CN103152335A (en) * 2013-02-20 2013-06-12 神州数码网络(北京)有限公司 Method and device for preventing ARP (address resolution protocol) deceit on network equipment
CN103312689A (en) * 2013-04-08 2013-09-18 西安电子科技大学 Network hiding method for computer and network hiding system based on method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107347047A (en) * 2016-05-04 2017-11-14 阿里巴巴集团控股有限公司 Attack guarding method and device
CN108200567A (en) * 2018-01-18 2018-06-22 浙江大华技术股份有限公司 A kind of method for discovering equipment and equipment
CN108200567B (en) * 2018-01-18 2021-04-16 浙江大华技术股份有限公司 Device discovery method and device
CN110519121A (en) * 2019-08-09 2019-11-29 网宿科技股份有限公司 A kind of method and device of subregion task detection

Also Published As

Publication number Publication date
CN104660563B (en) 2018-05-04

Similar Documents

Publication Publication Date Title
US10530799B1 (en) Non-harmful insertion of data mimicking computer network attacks
CN104144419B (en) Identity authentication method, device and system
CN112019575B (en) Data packet processing method and device, computer equipment and storage medium
US9686156B2 (en) Network flow monitoring
US10862926B2 (en) Cybersecurity threat detection and mitigation system
EP3149582B1 (en) Method and apparatus for a scoring service for security threat management
US9294463B2 (en) Apparatus, method and system for context-aware security control in cloud environment
CN103891331A (en) Mobile risk assessment
CN101621428B (en) Botnet detection method, botnet detection system and related equipment
CN110138731B (en) Network anti-attack method based on big data
CN104765682A (en) Offline detection method and system for cross-site scripting vulnerability
US10367832B2 (en) Reactive virtual security appliances
CN105119928A (en) Data transmission method, device and system for Android intelligent terminal
CN112565226A (en) Request processing method, device, equipment and system and user portrait generation method
Puthal et al. Decision tree based user-centric security solution for critical IoT infrastructure
CN104660563A (en) Method, equipment and system for processing active detection response
CN110830456A (en) Computer network safety system based on shift register
CN111246407B (en) Data encryption and decryption method and device for short message transmission
Sunitha et al. Key Observation to Prevent IP Spoofing in DDoS Attack on Cloud Environment
CN113794731B (en) Method, device, equipment and medium for identifying CDN (content delivery network) -based traffic masquerading attack
CN105183740A (en) Apparatus And Method For Data Taint Tracking
CN113014610B (en) Remote access method, device and system
CN116074280A (en) Application intrusion prevention system identification method, device, equipment and storage medium
Peng et al. A novel vulnerability detection method for ZigBee MAC layer
CN105338524A (en) Information transmission method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant